Internet Explorer 11 Gains HTTP Strict Transport Security In Windows 7 and 8.1

Mark Wilson writes: Anyone using the Windows 10 preview has had a chance to use the HTTP Strict Transport Security (HSTS) in Microsoft Edge, and today the security feature comes to Internet Explorer 11 in Windows 7 and Windows 8.1. This security protocol protects against man-in-the-middle attacks and is being delivered to users of older version of Windows through an update in the form of KB 3058515.

Security

[Dunbal]

You'll be safe. Trust Microsoft. They know about security. When they promise it, they promise it.

Re:Security

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

Funny how after all that fear-mongering it ended up being Apple who is dominating personal computing with drab gray/black/white computers, tablets and phones where everybody has the same in a 1984-style.

Re:Security

[Opportunist]

Oh for fuck's sake, at least read up on HSTS before you reach for the knee-jerk reaction to karma whore.

Li'l hint: Karma whoring only works by saying what you think the groupthink will agree with if you manage to not look like a complete moron in the process. Like, say, by showing off that you know exactly zero about the topic at hand.

A more sensible Karma whoring on the topic would be "Oh great, MS finally woke up and implemented what everyone else already had at the very least a year ago. And that qualifies as news on Slashdot these days, when MS implements something everyone else already has?". There you have MS bashing and /. bashing rolled into a single posting. Guaranteed to give you more up-mods than you could ever need.

Re:Security

[CaptainDork]

Is up mods a goal?

Re:Security

[__aaclcg7560]

Funny how after all that fear-mongering it ended up being Apple who is dominating personal computing with drab gray/black/white computers, tablets and phones where everybody has the same in a 1984-style.

The 1980's and 1990's were dominated by PCs that came in one color and one color only: beige. If you don't like the current monochromatic regime, visit an Apple Store to see the new color scheme of gold, silver and space gray.

Re:Security

[mitcheli]

Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.

As a Microsoft Doomsayer, I'm not immune from jumping on this article to predict the future of how new zero day's will result in the mass pwning of Grandma's computers everywhere. That being said, I'm not blind to the fact that Apple is gaining an increased market share and that as time goes on, they will become an increasingly targeted platform as the profitability (be it in information or money) increases. Microsoft does have what appears to be a more responsive patch process than Apple. Apple is very slow at responding to reported exploits (albeit, Microsoft has been known to half-ass patch and to sit on patches as well). In any case, my biggest issue with this report is I'm curious how much community involvement Microsoft had with the development of this new protocol. In the past, they just create crap in-house without the involvement of industry partners (sometimes even closing them out of those conversations). The problem with this is there is less industry oversight on potential weaknesses and less input on modifications that can strengthen the underlying protocol. Protocols in particular are not something that needs to be developed by a small team of engineers without support of the industry as a whole, less you get protocols like SMTP (who's author is on record of apologizing profusely for not building in security). So, as a Microsoft doomsayer, I shall sit back and wait with my "I told you so" in my back pocket. In the meantime, IE/Edge/whatever the hell they want to call it can stay off my computer thank you very much.

Re:Security

[sasparillascott]

You're totally right AC. Microsoft is definitely someone consumers can trust with their security:

http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

I can hardly wait!

[timrod]

I, for one, welcome this change to Internet Explorer. Now, I can know I am truly safe from man-in-the-middle attacks the next time I load a fresh Windows install and open IE10 so I can download Firefox.

Re:I can hardly wait!

[pushing-robot]

To be fair, a web browser download would be a great opportunity for a MITM attack.

Re:I can hardly wait!

[Opportunist]

Funny enough, due to how HSTS works, exactly the security of this connect will NOT be improved.

For HSTS to work, you need to have visited a page before. Because the server sets a token that tells your browser that in the next X days/months/years, it should connect to this server using https, and https only. This means if you type in http://whateverpage.com/ it will automatically turn it into a https connection and the browser will not allow a connection if something is fishy, e.g. when the certificate is bogus.

For this to work, though, your browser must already know that the server supports this. So you must have had visited that page at least once.

For the single time you use IE to download anothther browser, HSTS won't do you any good. But maybe you find comfort in the fact that your browser already has supported HSTS for quite a while now (IIRC about 4 years or so...).

Re:I can hardly wait!

[Opportunist]

Possibly that they have had HSTS support for about 4 years now...

It ain't foolproof, though, and with MS not supporting it 'til now it wasn't really that widely used (the server has to support it to work).

Re:I can hardly wait!

[cbhacking]

On the one hand, you're kind of wrong; any site that wants to can opt into the HSTS preload list, and IE uses the same preload list that both Chrome, Safari, and Firefox use. The preload list, by the way, is not a "whitelist" in the usual sense; it simply has the effect of there having been a "zeroth visit" before the first visit, so the first visit is safe. After that, the site behaves as normal.

On the other hand, it is true that getfirefox.com doesn't support HSTS at all (much less appear in the preload list, which would reject it anyhow for failing to have the response header present). Worse, though, mozilla.org doesn't seem to support it! At least, the Chrome dev tools don't list the Strict-Transport-Security header in responses from the site. That is a bizarre (and, frankly, unwise) omission.

Re:I can hardly wait!

[Bacon+Bits]

Cygwin is the worst answer to pretty much any issue on Windows ever. Forcing a POSIX environment onto the Windows environment to do basic tasks is why Linux admins are so shit at administering Windows. Just learn the damn system you're using.

If you need to have a script saved, just use PowerShell:

Invoke-WebRequest -Uri 'ftp://ftp.mozilla.org/pub/firefox/releases/38.0.5/win32/en-US/Firefox Setup 38.0.5.exe' -OutFile 'C:\Firefox Setup 38.0.5.exe'

If you really want you can parse the output from http://download.cdn.mozilla.ne..., but that seems like a huge waste of time. Just fetch a reasonably recent version and plan to update twice.

Otherwise, just use ftp.exe.

other options

looks like internet explorer is behind

From wikipedia:
Browser support[edit]
Chromium and Google Chrome since version 4.0.211.0[28][29]
Firefox since version 4;[30] with Firefox 17, Mozilla integrates a list of websites supporting HSTS.[20]
Opera since version 12[31]
Safari as of OS X Mavericks[32]
Internet Explorer 11 on Windows 8.1 and Windows 7 since June 2015[33]
Microsoft Edge and Internet Explorer 11 on Windows 10 Technical Preview support HSTS.[34][35]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Oh Great

[thegarbz]

Oh great, MS finally woke up and implemented what everyone else already had at the very least a year ago.
Also how low has Slashdot fallen that we now qualify MS getting something that everyone else already has as "news"?

Re:Oh Great

[Opportunist]

I couldn't have said it better. Oh if only I had modpoints...

Scan for malicious files without MitM?

[hipsterdufus]

While man-in-the-middle SSL connections sound like something everyone should be against, those in the corporate environment rely on using an in-line scanner to check for malicious/virus files going in/out the corporate environment. Those entities need to be able to block/report on where those file originated and their final destination. To do that, they rely on the scanning device being the SSL endpoint in order to decrypt and inspect the content. I would hope that this ability will be configurable via AD policy to allow the corporate MitM certificate to be considered trusted; however, there are an increasing number of sites that have javascript which verifies the SSL connection and checks that there is no MitM SSL occuring. While it sounds safe, it actually HELPS virus/malware authors if browsers block MitM connections to ssl sites.

An SSL cert is like $5 from Comodo, so if all browsers checked for MitM connections and prevented access, then corporations can't protect their networks from content on an SSL connection and would have to trust all content from the interwebs.

There are security ramifications to increased security.